Welcome to the Consumerist Archives

Thanks for visiting Consumerist.com. As of October 2017, Consumerist is no longer producing new content, but feel free to browse through our archives. Here you can find 12 years worth of articles on everything from how to avoid dodgy scams to writing an effective complaint letter. Check out some of our greatest hits below, explore the categories listed on the left-hand side of the page, or head to CR.org for ratings, reviews, and consumer news.

You’re great at security: you manage your long, secure passwords effectively, you shred all of your sensitive documents thoroughly, and you check your credit report and your online statements frequently. Good job! But all the micromanaging in the world can’t prevent you from being a victim of tax fraud if a hacker intercepts your W-2 and all of the information in it before it ever even gets to you.

That’s what your enterprising criminal mastermind is up to these days, reports security expert Brian Krebs. Krebs (who you may remember as the guy who broke the news of 2013’s Target data breach) says that scammers are gaining access not to individuals’ materials, but instead are going big: directly to the HR departments of the companies that employ dozens or hundreds of people.

The hackers gain entry to HR software at “compromised organizations” and dig around until they find themselves a database full of W-2 forms. Once scammers have access to that giant pile of forms, they immediately try to file federal returns on all of them. Then all they need to do is misdirect the money from a refund back to their own scammy pockets:

Successfully-filed returns are routed to prepaid American Express cards that are requested to be sent to addresses in the United States corresponding to specific “drops,” or co-conspirators in the scheme who have agreed to receive the prepaid cards and “cash out” the balance — minus their fee for processing the bogus returns.

Krebs found that one particular piece of third-party payroll software, Ultipro, seems to be the favored target. The problem doesn’t seem to be with the software itself, though. At least, not according to the company that makes it. A marketing executive for that company, Florida-based Ultimate Software, told Krebs that the security hole isn’t an issue of a code vulnerability that they can fix, but is instead “the result of stolen login information on the end-user level.”

Meaning: someone manages to steal an HR employee’s username and password, logs into the system masquerading as that employee, and then steals all the information they need for a profitable wave of identity theft.

From there, it takes the bad guys very little time to try to file all those fake returns, because they’ve engineered software to do it for them. The crimeware, as Krebs calls it, can take all the data and methodically fling it at an e-filing service — in this case, H&R Block’s. And the nefarious evildoers behind it have found a way to profit from it twice over: not only are they committing tax fraud, but they’re also licensing the software to others so that they can do the same.

Tax return fraud is nothing new; the concept has been around forever. The sheer scope and near-automation of the process afforded by the digital era are newer, though. The IRS issued an estimated $4 billion in fraudulent refunds in 2012 alone. So far, Krebs reports, this particular scam seems tied to over $1 million in fraud.

Today is the deadline for filing your 2013 federal taxes. Hopefully the procrastinators among us sliding their returns in just under the wire won’t encounter any problems. But if you do find out at 11:59 tonight that someone else pretending to be you got there first, take these steps to start getting the situation sorted out.